Ignore DHCP options 124 and 125 to shut up the warning messages.
These options are defined in the RFC 3925.
PR: 281361
Reviewed by: jrm (mentor), otis (mentor), thj
Tested by: jlduran@gmail.com
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D46760
These changes were made by accident in:
ipfilter: Adjust userland returns to conform to style(9)
2582ae5740
That commit made similar mistakes in other man pages, but those have
already been fixed.
Signed-off-by: Graham Percival <gperciva@tarsnap.com>
Reviewed by: mhorne
Sponsored by: Tarsnap Backup Inc.
Pull Request: https://github.com/freebsd/freebsd-src/pull/1433
forces logging on all subsequent matching rules
new log opt "matches"
awesome for debugging, a rule like
match log(matches) from $testbox
will show you exactly which subsequent rules match on that packet
real ok theo assumed oks ryan & dlg bikeshedding many
Obtained from: OpenBSD, henning <henning@openbsd.org>, 1603e01ae4
Obtained from: OpenBSD, henning <henning@openbsd.org>, f496e91672
Obtained from: OpenBSD, henning <henning@openbsd.org>, 07481a9fee
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46588
In some cases the netmask gets set to a full 128 bit mask even if no
address family is selected; don't print the v6 mask if it's a v4 address.
Obtained from: OpenBSD, mcbride <mcbride@openbsd.org>, f6d7b41f07
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46584
lex <=, >=, and != into a single token for correctness and to reduce the
lookahead in the parser
ok henning otto
Reviewed by: zlei
Obtained from: OpenBSD, deraadt <deraadt@openbsd.org>, e6e3ecf338
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46582
In the non-optimized case, an address list containing "any" (ie. { any 10.0.0.1 })
should be folded in the parser to any, not to 10.0.0.1. How long this bug has
been with us is unclear.
ok guenther mcbride
Obtained from: OpenBSD, deraadt <deraadt@openbsd.org>, e3b4bc25a0
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46580
add support to pf for filtering a packet by the interface it was received
on. use the received-on IFNAME filter option on a pf.conf rule to restrict
which packet the interface had to be received on. eg:
pass out on em0 from $foo to $bar received-on fxp0
ive been running this in production for a week now. i find it particularly
usefull with interface groups.
no objections, and a few "i like"s from henning, claudio, deraadt, mpf
Obtained from: OpenBSD, dlg <dlg@openbsd.org>, 95b4320893
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46577
Similar to "promisc", this allows the IFF_ALLMULTI flag to be toggled
from userspace if it happens to be useful to disable multicast packet
filtering. One use-case is when implementing IPv6 neighbour discovery
over netmap.
Reviewed by: zlei, glebius
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D46525
With Endpoint Independent NAT bindings for UDP flows from a NATed source
address are always mapped to the same ip:port pair on the NAT router.
This allows a client to connect to multiple external servers while
appearing as the same host and enables NAT traversal without requiring
the client to use a middlebox traversal protocol such as STUN or TURN.
Introduce the 'endpoint-independent' option to NAT rules to allow
configuration of endpoint independent without effecting existing
deployments.
This change satisfies REQ 1 and 3 of RFC 4787 also known as 'full cone'
NAT.
Using Endpoint Independent NAT changes NAT exhaustion behaviour it does
not introduce any additional security considerations compared to other
forms of NAT.
PR: 219803
Co-authored-by: Damjan Jovanovic <damjan.jov@gmail.com>
Co-authored-by: Naman Sood <mail@nsood.in>
Reviewed-by: kp
Sponsored-by: Tailscale
Sponsored-by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D11137
The pfik_ifp field is not provided by the kernel, it is always NULL. Do not
check for it. This caused us to not clear the skip flag on interfaces, leading
to unexpected behaviour when a 'set skip' was removed.
PR: 280834
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46311
When route_to() processes a packet without state, pf_map_addr() is called for
each packet. Pf_map_addr() will search for a source node and will find none
since those are created only in pf_create_state(). Thus sticky address,
even though requested in rule definition, will never work.
Raise an error when a stateless filter rule uses sticky address to avoid
confusion and to keep ruleset limitations in sync with what the pf code
really does.
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46310
Linux's `nvme sanititze -a` takes a number, not a string. Accept 1-4 for
compatibility so vendor's recepies are easier to implmement.
Sponsored by: Netflix
Document new n flag for disabling ARP resolution within dhclient.
Sponsored by: Google LLC (GSoC 2024)
Signed-off-by: Isaac Cilia Attard <icattard@FreeBSD.org>
MFC after: 10 days
Reviwed by: cperciva, brooks, Tom Hukins, Alexander Ziaee
Pull Request: https://github.com/freebsd/freebsd-src/pull/1368
Make arp_timeout available to dhclient.c, set the default timeout to 250
ms, and provide a new command-line argument, 'n' for setting the timeout
to 0.
Sponsored by: Google LLC (GSoC 2024)
Signed-off-by: Isaac Cilia Attard <icattard@FreeBSD.org>
MFC after: 10 days
Reviwed by: cperciva, brooks, Tom Hukins, Alexander Ziaee
Pull Request: https://github.com/freebsd/freebsd-src/pull/1368
Change the use of time() to clock_gettime() to have millisecond-accurate
rather than second-accurate timeouts.
Sponsored by: Google LLC (GSoC 2024)
Signed-off-by: Isaac Cilia Attard <icattard@FreeBSD.org>
MFC after: 10 days
Reviwed by: cperciva, brooks, Tom Hukins, Alexander Ziaee
Pull Request: https://github.com/freebsd/freebsd-src/pull/1368
Use the new add_timeout_timespec() API to handle timeouts for
state_selecting within dhclient.c. No functional change intended.
Sponsored by: Google LLC (GSoC 2024)
Signed-off-by: Isaac Cilia Attard <icattard@FreeBSD.org>
MFC after: 10 days
Reviwed by: cperciva, brooks, Tom Hukins, Alexander Ziaee
Pull Request: https://github.com/freebsd/freebsd-src/pull/1368
Introduce a new function, add_timeout_timespec(), to use timespec
structs to handle timeouts. Make add_timeout() into a wrapper for the
latter function to retain compatibility with the rest of the codebase.
No functional change intended.
Sponsored by: Google LLC (GSoC 2024)
Signed-off-by: Isaac Cilia Attard <icattard@FreeBSD.org>
MFC after: 10 days
Reviwed by: cperciva, brooks, Tom Hukins, Alexander Ziaee
Pull Request: https://github.com/freebsd/freebsd-src/pull/1368
A last minute change moved this from -W to -q; fix the sorting in a few
places to reflect that.
Fixes: 6c7ec630c2 ("shutdown: add a -q(uiet) flag to suppress [...]")
Sponsored by: Klara, Inc.
The system-wide warning makes sense in multi-user environments, but
shutdown(8) may be used on systems or in scenarios where there's nobody
to warn and wall(1) just introduces unnecessary complexity and overhead
to the shutdown process.
Add an option to suppress the warning entirely for those contexts that
want to do so, which are anticipated to mainly be in appliance or
single-user desktop-style systems.
Reviewed by: des
Reviewed by: allanjude, imp (earlier version)
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D46216
Add missing flags to veriexec(8) as well as some examples to
help explain usage.
Also add veriexec.4
Sponsored by: Juniper Networks, Inc.
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D46207
+ real-time and rtc added to search keywords
- local dropped from search keywords
+ ntpd added to see also
+ use machine independent language
Reported by: emaste (MI language)
MFC after: 3 days
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1326
libpfctl doesn't set errno, instead it returns error codes. Take that into
account when handling errors so that we report the actual error.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Ensure that we rebuild the test binary when we add tests (i.e. modify
pfctl_test_list.inc).
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
To make parsing of, for example, Spamhaus' drop.txt and similar
files that contains semicolons as comments, allow them also
in file-based tables.
Reviewed by: kp
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D46088
Passing overlapping buffers to strcpy yields an undefined result, so
let's avoid it. The copy doesn't really need to happen anyways, we can
just point to the domain part of the hostname.
This was discovered with _FORTIFY_SOURCE.
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Reviewed by: allanjude, emaste, imp, melifaro (all previous version)
Differential Revision: https://reviews.freebsd.org/D32615
The internal KATO is stored in milliseconds, so convert the command
line argument (given in seconds) to milliseconds before passing to
nvmf_connect().
Sponsored by: Chelsio Communications
Ignore SIP servers dhcp option to shut up the warning message.
This option is defined in the RFC 3361 and sent from NSD-G1000T router.
PR: 280119
Reviewed by: jrm (mentor), brooks
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D45873
ZFS' libspl needs to be made aware that we have strlcat(3) and
strlcpy(3) to avoid some more complicated declaration duplication, so
go ahead and define these HAVE_ macros now.
libprocstat has to define `_KERNEL` and include kernel headers in order
to get what it wants, but this results in sys/cdefs.h being included too
late and we pick up the build breaking version of the __RENAME
definition. Just explicitly include sys/cdefs.h earlier rather than
disabling _FORTIFY_SOURCE. The zfs/ subdir only builds an object that
holds some structures and sizes, so just disable _FORTIFY_SOURCE there
entirely rather than trying to move #define _KERNEL into the file..
While we're here, make sure that we disable _FORTIFY_SOURCE in the
bootloader because we don't have the symbol renaming support today to do
it as cleanly as we'd like. ssp/ssp.h needs to be pulled into the libsa
environment so that other bits can understand that ssp is disabled in
the consistent __SSP_FORTIFY_LEVEL way that we try to do.
Reviewed by: allanjude (previous version), markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45676
Update the man page descriptions so that apropos are more consistent for
console related man pages.
Motive: apropos results: clarify consistently
MFC after: 3 days
Reviewed by: emaste, imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1275
